Whenever a sendmail receives SMTP request and connection from a remote host, it spawn's a new copy of itself to deal with incoming mail messages. This approach makes it useful for sendmail to process multiple incoming mails simultaneously. However, the nature of linux application always comes with a trade off thing. This issue of spawning another sendmail daemon child would consume another portion of system and thus could hogged down your email server.
Considering the openness of email address nature, an email bomber could launch a malicious flood attack to an email server with bunch of emails for delivery that could easily be done automatically using automated software. This scenario could cause sendmail denial of service.
The below sendmail directives option could restrict and limit the number of sendmail children to spawn, limit the number of connections to receive per second, restrict sendmail process incoming header size, and lastly, limit the maximum acceptable size of one message. By setting this sendmail directive, the effectiveness of such denial of sevice attack to sendmail could be limited and/or delayed.
Sendmail Directives
confCONNECTION_RATE_THROTTLE
This is number of connections sendmail server can receive per second. By default rpm installation, Sendmail does not limit the number of connections per second it can receive. If the value configured here is set and reached, any further connections are then delayed.
confMAX_DAEMON_CHILDREN
This is the number of child processes that can be spawned by the server, or refers to sendmail children. By default rpm installation, Sendmail does not define a limit to the number of spawned child daemon. If this limit is reached, further connections are also delayed.
confMIN_FREE_BLOCKS
This is the minimum number of free blocks is available for sendmail server when accepting mails. The default is 100 blocks. Once the value specified with this sendmail directive is reached, sendmail is instructed to stop accepting mails.
confMAX_HEADERS_LENGTH
This is the maximum acceptable size (in bytes) of an email's message header. Any email message headers that reached this limit would not be accepted and denied from being queued for delivery.
confMAX_MESSAGE_SIZE
Limiting the the maximum acceptable size (in bytes) of an email message could also limit the possible attachment bomb attack against sendmail server. Implementing a maximum message size could set a limit to email message maximum size. An example sendmail.mc entry would likely be\
confMAXRCPTSPERMESSAGE
This is the number of recipients per message. Limiting the maximum recipient one email message could have could restrict any email bomber trying to send an email to multiple recipients.
A sample entry of the above directive would be
define(`confMAX_DAEMON_CHILDREN', 10)
define(`confMAX_HEADERS_LENGTH', `32768')
define(`confMAX_MESSAGE_SIZE', 10000000)
define(`confMIN_FREE_BLOCKS',`3000')
define(`confCONNECTION_RATE_THROTTLE', `3')
define(`confMAXRCPTSPERMESSAGE', `30')
To implement the above sendmail directive, simply backup and modify your /etc/mail/sendmail.mc and recompile it again. For the changes to take effect, simply restart your sendmail service like so
# vi /etc/mail/sendmail.mc
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# service sendmail restart
All is done.
Subscription
Categories
- HowTos (612)
- Linux Devices (40)
- Linux Diggs (620)
- Linux News (1541)
- Linux Videos (24)
Recent Posts
Blog Archive
-
▼
2008
(2301)
-
▼
July
(297)
- How To Kill Application Process ID (PID) The Faste...
- How To Install Fedora 9 From The Internet
- How To Install PHP5 and Apache HTTP Server
- How To Display The Number of Processors in Linux
- How To Prevent Alt+F1 and Alt+F2 TTY Console Login...
- How To Install Text-based File Manager
- How To Delete Linux Files Older Than 360 days
- How To Install VirtualBox on Fedora 9
- HowTo: Delete All Thumbs.db Recursively
- HowTo: Delete All Thumbs.db Recursively
- 10 Cool Open Source Easter Eggs
- KDE 4.1 rocks the desktop
- 10 Cool Open Source Easter Eggs
- KDE 4.1 rocks the desktop
- Roku's Netflix Player: a hands-on review
- PostPath cracked Exchange protocols for Postfix-ba...
- Yahoo, HP, Intel Give Ivory Towers a Stairway to t...
- Portugal Rings Up Big Order for Intel's Classmate PCs
- SSD vs. SATA RAID: A Performance Benchmark
- Roku's Netflix Player: a hands-on review
- PostPath cracked Exchange protocols for Postfix-ba...
- Yahoo, HP, Intel Give Ivory Towers a Stairway to t...
- Portugal Rings Up Big Order for Intel's Classmate PCs
- Floating Point Math in Bash
- SSD vs. SATA RAID: A Performance Benchmark
- How To Mount Remote Folder Location Via SSHFS
- How To Protect SSH From Multiple and Parallel Coor...
- How To Enable IP Forwarding in Linux
- spell check text file from terminal
- spell check text file from terminal
- How To Allow and Deny SSH Access To Specific Users
- Customer demand adds Linux to industrial computer ...
- Is OpenSolaris in hot water?
- Anatomy of the Linux file system
- Linux development on the PS 3 More than a toy - pa...
- Quotes from Bill Gates, Steve Jobs and Linus Torvalds
- Under Pressure, ISP Admits Secret Web Snooping in ...
- Open Web Foundation to Play Freedom Cop for Net Specs
- Customer demand adds Linux to industrial computer ...
- Is OpenSolaris in hot water?
- Anatomy of the Linux file system
- Linux development on the PS 3 More than a toy - pa...
- Quotes from Bill Gates, Steve Jobs and Linus Torvalds
- Installing Applications on Linux
- Under Pressure, ISP Admits Secret Web Snooping in ...
- Open Web Foundation to Play Freedom Cop for Net Specs
- Microsoft Becomes Just a Little More Like Apple
- Tux3, a Versioning Filesystem
- Anatomy of Linux loadable kernel modules
- Shuttleworth: Microsoft Does Not Want War
- The Open Call
- Google Gadgets for Linux -- Almost There
- Cloud Computing: When Computers Really Do Rule
- Consoles Sell Like Hotcakes, Yahoo Cuts a Deal, Sy...
- Microsoft Becomes Just a Little More Like Apple
- Tux3, a Versioning Filesystem
- Anatomy of Linux loadable kernel modules
- Shuttleworth: Microsoft Does Not Want War
- The Open Call
- Google Gadgets for Linux -- Almost There
- Cloud Computing: When Computers Really Do Rule
- Consoles Sell Like Hotcakes, Yahoo Cuts a Deal, Sy...
- How To Install Adobe Flash Player 10 in Fedora
- How To Add and Install Alternative Liberation Fonts
- Digg it: Top 1 Supercomputer is powered by Fedora
- How To Send System Message To FTP Clients via TCP ...
- Intel Switches From Ubuntu To Fedora For Mobile Linux
- Intel Switches From Ubuntu To Fedora For Mobile Linux
- How To Create Separate SSH Log File for Specific S...
- How To Allow and Deny SSH Access To Selected Hosts...
- Fedora 10 - Friends, Freedom, Features, and First
- Fedora 10 - Friends, Freedom, Features, and First
- The Mess That is Linux Volume Management
- Are We About to Witness a Real OS X virus?
- Security is No Secret
- Enterprise Storage Solution Using Nand Flash and ZFS
- Shuttleworth Sets Bar For Linux 'Beyond Apple'
- Why We Still Need the iPhone App Black Market
- DragonFly BSD 2.0 Released
- Interview with Mandriva's KDE Developer Helio Castro
- Mandriva and PTech Announce Low-cost Desktop
- The Coco Bidet and Toilet Technology
- The Mess That is Linux Volume Management
- Are We About to Witness a Real OS X virus?
- Security is No Secret
- Enterprise Storage Solution Using Nand Flash and ZFS
- Shuttleworth Sets Bar For Linux 'Beyond Apple'
- Why We Still Need the iPhone App Black Market
- DragonFly BSD 2.0 Released
- Interview with Mandriva's KDE Developer Helio Castro
- Mandriva and PTech Announce Low-cost Desktop
- The Coco Bidet and Toilet Technology
- Automatix Comes to Fedora 9 - FedoMATIX
- Automatix Comes to Fedora 9 - FedoMATIX
- #1 Supercomputer in the World Runs Fedora
- #1 Supercomputer in the World Runs Fedora
- How To Install An Extremely Fast, Lightweight, But...
- How To Bypass DNS Log Monitoring By Your ISP
- Veteran developer ditches Microsoft for open source
- Why not learn a little language while you work, Am...
-
▼
July
(297)
Monday, July 21, 2008
How To Limit Denial of Service Attacks to Sendmail
Subscribe to:
Post Comments (Atom)
ILoveTux - howtos and news | About | Contact | TOS | Policy
0 comments:
Post a Comment